Hello community,
here is the log from the commit of package libvpx for openSUSE:Factory checked
in at 2017-09-07 22:07:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libvpx (Old)
and /work/SRC/openSUSE:Factory/.libvpx.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvpx"
Thu Sep 7 22:07:43 2017 rev:33 rq:519848 version:1.6.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/libvpx/libvpx.changes 2017-03-10
21:02:39.637528311 +0100
+++ /work/SRC/openSUSE:Factory/.libvpx.new/libvpx.changes 2017-09-07
22:07:57.903365807 +0200
@@ -1,0 +2,6 @@
+Thu Aug 31 06:26:03 UTC 2017 - adr...@suse.de
+
+- limit maximum size to 8K Fulldome resolution to avoid
+ DoS attacks. CVE-2017-0641 boo#1056539
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvpx.spec ++++++
--- /var/tmp/diff_new_pack.TCAIOX/_old 2017-09-07 22:07:58.523278424 +0200
+++ /var/tmp/diff_new_pack.TCAIOX/_new 2017-09-07 22:07:58.527277860 +0200
@@ -131,6 +131,13 @@
--extra-cflags="-std=gnu89 -U_FORTIFY_SOURCE %{optflags}" \
--extra-cxxflags="-U_FORTIFY_SOURCE %{optflags}" \
--enable-pic
+# size-limit to avoid CVE-2017-0641 DoS attacks. The limit is the
+# 8K Fulldome resolution and should be enough for all current use cases
+# bso#1056539
+# the --size-limit switch is broken atm ...
+echo '#define DECODE_WIDTH_LIMIT 8192' >> vpx_config.h
+echo '#define DECODE_HEIGHT_LIMIT 8192' >> vpx_config.h
+
make %{?_smp_mflags} verbose=yes GEN_EXAMPLES=
%install
